Hello there,
Since a few months, Splunk randomly displays a blank screen where the raw data is usually shown.
It does not seem to depend on browser add-ons as I am experiencing the same issue with 3 different browsers:
As a temporary workaround, I use '| table _time _raw' to see the raw data but it is not convenient.
Out of the blue, it just comes back to normal a moment later.
The issue is very random but happens everyday.
Anyone would have a clue?
Thanks in advance for any hint!
This is not random; you are exhausting all RAM that is available to your Browser. You should be able to see clear evidence of this by clicking on Activity
-> Job Inespector
-> search.log
. You are doing it wrong. There is no reason to to look at Last 15 months
of any data set without doing some kind of stats
or chart
function to reduce the bulk of the results that come back to the Search Head. To test, try adding | stats count dc(host) BY sourcetype
and you will almost certainly get results. No Search Head session can process GB of final results, nor should it be expected to.
Interesting, let me check on that!
Screenshots are tiny I know but it's the last 15 min not months 🙂
And yes, if I do any transforming command it works, I mean the 'Statistics' & 'Vizualisations' works, it just the raw data part that gets blank!
Thanks
MY BAD! Last 15 minutes
should be fine (stupid tiny mobile phone screen).
Try using a different browser.
I kinda did ! but thanks 🙂
Is Splunk running on linux? Check if the user has the proper rights to read the entire Splunk directory. If not, re-apply the user permissions to the entire splunk folder.
Is this happen only for _internal index? Or Are others on the same issue?
Check if the file for _internal index is being updated with the most recent data at $Splunk_home/var/lib/splunk/_internaldb/db
If it did not work, please create a diag file ./splunk diag, open a case at splunk support and attach the diag file to the case.
admin user, happens on any index, yes I have filed a case! thanks